2
Security Analysis is a Formal Process. 1.Start by identifying the system (‘TOE’) and items to be protected. 2.Identify the security policies that must be enforced. 3.Define the trust relationships to be supported. 4.Perform a risk analysis to identify the threats. 5.Establish the assumptions of secure operation. 6.List the security objectives you must implement. 7.Define the resulting security functions (‘TSF’) to be provided. 8.Provide the detail, implement, and test.

3
What are the Items to be Protected? If you try to protect everything, you protect nothing. Can include data, equipment, reputation, and resources. Take into account time. Any security can be broken with enough time and resources. Provide alarms and appropriate responses.

4
Security Policies Discussed in an earlier lecture. Be realistic. If you can’t secure what you need to secure, perhaps you should reconsider building the system.

5
Trust Relationships Discussed in an earlier lecture. You must understand trust to be able to secure a system and have the system be usable. Trust should influence your security architecture.

6
Risk Analysis Discussed in an earlier lecture. Be realistic. Hackers are creative—don’t reject vulnerabilities out of hand. “Security by Obscurity” is not a solution. Don’t try to protect everything, but don’t leave obvious holes.

7
Assumptions of Secure Operation Discussed in an earlier lecture. “A statement of assumptions which are to be met by the environment of the TOE in order for the TOE to be considered secure.” (from the CCTool Manual) Should be associated with individual security objectives to help you select your security requirements.

8
The Security Mapping Process CCTool Manual

9
Security Analysis Relationships CCTool Manual

10
Security Objectives Result in Security Requirements CCTool Manual

11
CCTool/UoSTool Designed to assist in this process. Provides recommended solutions. You can also add your own –Threats –Policies –Assumptions –Objectives –Requirements

12
What are Security Objectives? Security objectives are the things you do to: –Enforce security policies –Mitigate risks Security objectives may be met by: –Things the system does to protect itself, and –Things you can assume the environment does for the system.

13
Finding CCTool An expert system to aid in security analysis. No longer supported by NIAP/NIST/NSA. Needs upgrading but still useful. Available from the module website. Available at Sunderland as the UoSTool

14
Security Objectives “The results of the analysis of the security environment can then be used to state the security objectives that counter the identified threats and address identified organizational security policies and assumptions. The security objectives should be consistent with the stated operational aim or product purpose of the system, and any knowledge about its physical environment.” CCTool Manual

15
Intent of the Objectives “The intent of determining security objectives is to address all of the security concerns and to declare which security aspects are either addressed directly by the system or by its environment. This categorization is based on a process incorporating engineering judgment, security policy, economic factors and risk acceptance decisions.” CCTool Manual

16
Sources of Security Functional Requirements “The CC and the associated security functional requirements are not meant to be a definitive answer to all the problems of IT security. Rather, the CC offers a set of well understood security functional requirements that can be used to create trusted products or systems reflecting the needs of the market. These security functional requirements are presented as the current state of the art in requirements specification and evaluation.” (CCTool Manual)

17
Background Issues of Security Functional Requirements “The IT security requirements are the refinement of the security objectives into a set of security requirements for the TOE and security requirements for the environment which, if met, will ensure that the TOE can meet its security objectives.” (CCTool Manual) “The CC presents security requirements under the distinct categories of functional requirements and assurance requirements.” (CCTool Manual)

18
How do You Use the Security Requirements? The functional requirements describe what your security solution must do to allow you to operate safely. These can be compared to the functionality provided by vendor software and hardware. The assurance requirements describe what development practices and testing the vendor must follow to assure the users that the functionality provided actually works.

19
Role of Security Testing “Security requirements generally include both requirements for the presence of desired behavior and requirements for the absence of undesired behavior. It is normally possible to demonstrate, by use or testing, the presence of the desired behavior. It is not always possible to perform a conclusive demonstration of absence of undesired behavior. Testing, design review, and implementation review contribute significantly to reducing the risk that such undesired behavior is present.” (CCTool Manual) Note, pen-testing is not necessarily required.

20
Open Problems Despite the emergence of a formal approach to the definition of security requirements, computer security has gotten worse, not better over the last 30 years. (Karger and Schell, 1974 and 2002) K&S note that current secure systems are less secure than Multics, and “Multics, with its security enhancements, was only deemed suitable for processing in a relatively benign ‘closed’ environment.” What they see missing is a verifiable security kernel to block professional hacker attacks using malicious software trapdoors. This is a currently emerging threat.